From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 7D99E4ACC7
	for <ffmpegdev@gitmailbox.com>; Sat, 24 May 2025 12:13:43 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 0831768DB88;
	Sat, 24 May 2025 15:13:39 +0300 (EEST)
Received: from sender2-op-o11.zoho.eu (sender2-op-o11.zoho.eu [136.143.171.11])
 by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 4B8F568D915
 for <ffmpeg-devel@ffmpeg.org>; Sat, 24 May 2025 15:13:31 +0300 (EEST)
ARC-Seal: i=1; a=rsa-sha256; t=1748088808; cv=none; d=zohomail.eu; s=zohoarc; 
 b=AJe1v4VEYYzU+8BFNgd7GvI+fasEHkNtrCxsvqI8uAFR5Hpd8SLoEpr5JLXJgxaQm/pa23aTs2RdrE8Amp5XUtLdl2u/gmJzs5oY+ncst9rvKG56gKRB9/F2dVIu/pQug3i9uATZmX2xSCRNRzOziGRJfKfDCEdubJJ2k4l6UpA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu;
 s=zohoarc; t=1748088808;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
 bh=tQOhr1Lu5EA1K5aJWpvW0Uch05LFWdEJ3OxvfVxAe4g=; 
 b=KsevUMkYof4rBcSfVHmQmHzmb+sfBsLawBmBJhSY596K0ALRgsl5pZ58Nc4LmWkhzjYLBkCIdMEMVvS/fMEop2b/n76TdO9oFFXS0JXGckOMY/gkB46koEUzx4rX+ZFn0WvcJZH1jmajRGyG46Txw4R70ZUjmG1Hc+6x7CovruA=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
 dkim=pass  header.i=frankplowman.com;
 spf=pass  smtp.mailfrom=post@frankplowman.com;
 dmarc=pass header.from=<post@frankplowman.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1748088808; 
 s=zmail; d=frankplowman.com; i=post@frankplowman.com;
 h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
 bh=tQOhr1Lu5EA1K5aJWpvW0Uch05LFWdEJ3OxvfVxAe4g=;
 b=F/TUGiianyJc/ciXsXS/6Tp1+ZbcxsXpifp3hB+elg3u6yWiUBFnnQ+7hqTsXP3W
 /zN1zOuL+uO5XIIXx2VSgWZ15BDVu+4RJQo1jDjZ5seR9Dmj9h1MRVFx8PtcoIu1Nts
 Ge/1lG3QHEm0ctGx49+fPZ8oe2jwONcJ2diwM8Bw=
Received: by mx.zoho.eu with SMTPS id 1748088807264715.9554804948623;
 Sat, 24 May 2025 14:13:27 +0200 (CEST)
From: Frank Plowman <post@frankplowman.com>
To: ffmpeg-devel@ffmpeg.org
Date: Sat, 24 May 2025 13:12:25 +0100
Message-ID: <20250524121322.70696-1-post@frankplowman.com>
X-Mailer: git-send-email 2.47.0
MIME-Version: 1.0
X-ZohoMailClient: External
Subject: [FFmpeg-devel] [PATCH] lavc/vvc: Fix divide-by-zero in LMCS param
 derivation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Frank Plowman <post@frankplowman.com>, nuomi2021@gmail.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250524121322.70696-1-post@frankplowman.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Add three missing requirements on bitstream conformance from 7.4.3.19 of
H.266 (V3).  Issue found using fuzzing.

Signed-off-by: Frank Plowman <post@frankplowman.com>
---
 libavcodec/vvc/ps.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c
index 1f3c2edbb7..3228ea6803 100644
--- a/libavcodec/vvc/ps.c
+++ b/libavcodec/vvc/ps.c
@@ -849,7 +849,7 @@ static int lmcs_derive_lut(VVCLMCS *lmcs, const H266RawAPS *rlmcs, const H266Raw
     uint16_t input_pivot[LMCS_MAX_BIN_SIZE];
     uint16_t scale_coeff[LMCS_MAX_BIN_SIZE];
     uint16_t inv_scale_coeff[LMCS_MAX_BIN_SIZE];
-    int i, delta_crs;
+    int i, delta_crs, sum_cw;
     if (bit_depth > LMCS_MAX_BIT_DEPTH)
         return AVERROR_PATCHWELCOME;
 
@@ -860,8 +860,13 @@ static int lmcs_derive_lut(VVCLMCS *lmcs, const H266RawAPS *rlmcs, const H266Raw
     lmcs->max_bin_idx = LMCS_MAX_BIN_SIZE - 1 - rlmcs->lmcs_delta_max_bin_idx;
 
     memset(cw, 0, sizeof(cw));
-    for (int i = lmcs->min_bin_idx; i <= lmcs->max_bin_idx; i++)
+    sum_cw = 0;
+    for (int i = lmcs->min_bin_idx; i <= lmcs->max_bin_idx; i++) {
         cw[i] = org_cw + (1 - 2 * rlmcs->lmcs_delta_sign_cw_flag[i]) * rlmcs->lmcs_delta_abs_cw[i];
+        sum_cw += cw[i];
+    }
+    if (sum_cw > (1 << bit_depth) - 1)
+        return AVERROR_INVALIDDATA;
 
     delta_crs = (1 - 2 * rlmcs->lmcs_delta_sign_crs_flag) * rlmcs->lmcs_delta_abs_crs;
 
@@ -869,13 +874,20 @@ static int lmcs_derive_lut(VVCLMCS *lmcs, const H266RawAPS *rlmcs, const H266Raw
     for (i = 0; i < LMCS_MAX_BIN_SIZE; i++) {
         input_pivot[i]        = i * org_cw;
         lmcs->pivot[i + 1] = lmcs->pivot[i] + cw[i];
+        if (i >= lmcs->min_bin_idx && i <= lmcs->max_bin_idx
+         && lmcs->pivot[i] % (1 << (bit_depth - 5)) != 0
+         && lmcs->pivot[i] >> (bit_depth - 5) == lmcs->pivot[i + 1] >> (bit_depth - 5))
+            return AVERROR_INVALIDDATA;
         scale_coeff[i]        = (cw[i] * (1 << 11) +  off) >> shift;
         if (cw[i] == 0) {
             inv_scale_coeff[i] = 0;
             lmcs->chroma_scale_coeff[i] = (1 << 11);
         } else {
+            const int cw_plus_d = cw[i] + delta_crs;
+            if (cw_plus_d < (org_cw >> 3) || cw_plus_d > ((org_cw << 3) - 1))
+                return AVERROR_INVALIDDATA;
             inv_scale_coeff[i] = org_cw * (1 << 11) / cw[i];
-            lmcs->chroma_scale_coeff[i] = org_cw * (1 << 11) / (cw[i] + delta_crs);
+            lmcs->chroma_scale_coeff[i] = org_cw * (1 << 11) / cw_plus_d;
         }
     }
 
-- 
2.47.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".